Desktop App Startup Online Check Scheme

I need to develop a scheme to check for # of current users of a desktop app (written in another language but the principle is what I need validation of).

I will use Xojo Web for the API for the desktop app to callup (on startup), with a token, check against the db and increment the count for the particular customer. Customer will have a license for x number of users. All of this is good and I can get it done.

My question is more one of how an organisation would firstly set the config file I supply with the token to the correct location (User\Application Data currently) and secondly, if the token needed to change, how they would go about changing that ?

Naturally I don’t want their users to all have to go in and enter such a code (and a few other config items) but rather want to know what I can do to assist customers to get that to happen with minimal effort ? Would this be like a script that the org could run to save the config file to each users appdata etc ? Then what about if/when the token needed to change ?

Not much of a network / script type guy so thanks in advance for any and all pointers.


Use a standard login system that track per-customer sessions. When a session times out, remove that session from the concurrent user tracking table in your database. When a new user for that particular customer logs in, check the number of concurrent sessions in the DB against the number they’re approved to have.

Thanks Anthony - and yes if I wanted users to do a normal email and pw login that would of course work.

I was angling more towards:

a. An org wide token
b. The desktop app could pick up (Win) the user name and that could go to the server

IOW not needing an individual user to log in (let’s ignore SSO for now). So then the question became where and how to store (and update) the org token if that makes sense ?


EDIT: As it’s a desktop tool, don’t want sessions to be involved. It’s a case of validating there is a user spot free and then taking that up (thereby allowing startup of the app)

I would probably require some kind of login after install and store the ID in SpecialFolder.ApplicationData, then provide a mechanism to update the token if it fails to verify on session register when the app opens.

Not a remotely secure system, but it’ll do what you’re asking for.

We use Twilio’s Authy for OTP and MFA - even if you don’t implement an SSO solution having a 2FA/MFA strategy is very good for your users to know you take security seriously.

Thanks both and certainly @Mike_Cotrone your suggestion is a strong possibility for the roadmap for my web app.

For my desktop tool, the last resort would be putting a log in screen in front of every user so they have to do that every morning when they start their apps up.

Just want an org to buy 20 licenses and install on however many machines they want. Each start, online check to ensure a spot is free and take it up if it is.


This is exactly what I do on my desktop app regarding your login screen.

We also use Twilio Authy for 2FA/MFA.

Thanks @Mike_Cotrone. Nice design as well by the way.

1 Like